Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

yet another nat question

Hey All,

I have been going through the posts regarding NAT and I think I am more confused. Here is what I have. I have a 515E 3FE ports. 2 networks on the inside interface routed via VLANs through a 4006. I need to translate the internal network, and not the other network which is our public stuff.

I am confused as to what Nat I need, PAT??? and Global statements. I do need to set up some acl's to specific host. For example. Our Mail Server has a public IP but I want it behind the firewall, I want all smtp to come only to that server and outbounds smtp traffic from our server to any

I think I have the acl's down but I don't have the slightest idea about global statements and such. I realize I am a bit vague, but I don't know where to begin. (how bout contracting it out....)

Thanks to all


New Member

Re: yet another nat question


> but I don't know where to begin

The PDM wizard will guide you with the initial config.

Then use PDM/CLI for the rest of the configuration.

Here are some links to help you out.

Using nat, global, static, conduit, and access-list Commands and Port Redirection on PIX

(Note that not all the sample in the following page apply to your scenario - these are just samples to show you what can be done, but not recommendations on what to do):

One of the initial stages should be using syslog messages, as these are very helpful in troubleshooting.

Start logging at level 4 (warnings) .



New Member

Re: yet another nat question

Thanks Yizhar,

I think I found some samples of Nat and Pat. My issue before I can complete that is with routing.

From within the Pix I can ping the router connected to the internet as well has hosts out on the internet. I can ping Hosts on the private network, but I can't get traffic to pass through the pix and communitcate with the 2600 connected to the internet. Below is hopefully a picturial of what I have. My real public class c has been replaced with



2601 router

w/ as ip address



PIX 515W





Catalyst 4006


Rest of network

i think the route for the 4006 should be

ip route

Is that correct? Also, there are static commands in the PIX that are connect static, and connect static.

when ever I try to make a static route for network, it says that it alreay exists. I want to make one to Do I route the ip address of the private interface of pix?

Hope you can help


New Member

Re: yet another nat question

here is what my config looks, my acl's and my routes:

my real class c has been replaced with for this.

any blunders on my part?

XXXXXXXXXXXXX(config)# sh config

: Saved


PIX Version 6.1(4)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security50

enable password XXXXXXXXXXXXXXXXX encrypted

passwd XXXXXXXXXXXXXXXX encrypted



fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000


pager lines 24

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

mtu outside 1500

mtu inside 1500

mtu dmz 1500

ip address outside

ip address inside

ip address dmz

ip audit info action alarm

ip audit attack action alarm

pdm location inside

pdm location inside

pdm history enable

arp timeout 14400

global (outside) 1 netmask

nat (inside) 1 0 0

route outside 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

http server enable

http inside

http inside

snmp-server location XXXXXXXXXXXXX

snmp-server contact XXXXXXXXXXXXXXX

snmp-server community XXXXXXXXXX

no snmp-server enable traps

floodguard enable

sysopt noproxyarp inside

no sysopt route dnat

telnet inside

telnet inside

telnet timeout 5

ssh timeout 5

terminal width 80


XXXXXXXXXXXX(config)# sh access-l

access-list inside_access_in permit icmp any any (hitcnt=0)

XXXXXXXXXXXX(config)# sh route

outside 1 OTHER static

inside 1 CONNECT static

dmz 1 CONNECT static

outside 1 CONNECT static

CreatePlease to create content